Designing a Security Group Strategy

Security groups enable an organization to control and define users' access to resources. Designing a security group strategy entails determining the type of security group to implement as well as how to manage and maintain groups.

Defining the Scope of a Security Group to Meet Requirements

When you're planning security groups, you must determine what type of security group to use. Windows Server 2003 supports four different types of security groups:

  • Local groups

  • Global groups

  • Domain local groups

  • Universal groups

graphics/note_icon.gif

Local groups are found on computers running Windows XP Professional and those running Windows Server 2003 and configured as member servers. Local groups can contain user accounts only on the local computer. They're used to assign permissions to a group of users for resources on the computer where the group has been created. The difference between a local group and a domain local group is that a domain local group can be used to grant users permissions to resources throughout a domain. On the other hand, a local group provides access to only resources on a local computer.


You'll select the type of group when creating a new group using the Active Directory Users and Computers MMC snap-in. You can also change the group type for existing groups using the same interface (see Figure 4.4).

Figure 4.4. Selecting the type of group to create.

graphics/04fig04.gif

graphics/note_icon.gif

The option to create a universal group is not available if the domain functional level is Windows 2000 Mixed.


Global Groups

The first type of security group created in a domain is the global group. Global groups are used to logically organize users within a domain who have common needs and to assign them permissions to network resources. When deciding whether to use global groups, keep the following characteristics in mind:

  • A global group can contain other global groups or user accounts only from the domain in which the group was created.

  • After the group has been created, it can be assigned permissions to resources throughout the forest. The group name will appear in the global catalog so that trusted domains can assign the group permissions to their resources.

  • If network traffic is a concern, consider using global groups. Because only the name of the group is replicated to the global catalog server, not the actual membership list, network traffic is less than for universal groups.

graphics/note_icon.gif

Group membership will still be replicated within the domain but not to other domains.


Domain Local Groups

Like global groups, domain local groups are also used to assign permissions to resources on the network. Domain local groups are used to organize users throughout the forest to assign them permissions to resources in the local domain. Domain local groups have the following characteristics:

  • Domain local groups can contain global groups and user accounts from any domain in the forest.

  • A domain local group can be used to assign permissions to resources only within the domain where the group has been created.

Unlike a global group, a domain local group is not replicated to global catalog servers within the forest because other domains cannot use it. The group name and membership are still replicated between domain controllers within the domain where the group is created.

Universal Groups

The third type of security group in a domain is the universal group. This type of group is used to assign a group of users from different domains permission to network resources throughout the forest.

Universal groups are also used to combine groups from multiple domains. For example, if there is a Managers group within each domain, you can create a Managers group with a universal scope and add each of the Managers groups from the various domains. This group can then be used throughout the enterprise.

Here are some points to keep in mind concerning universal groups:

  • Universal groups can contain other universal groups (nesting), global groups, and also user accounts from any domain.

  • A universal group can be assigned permissions to resources throughout the forest.

When deciding whether to use universal groups, keep in mind that they are available only when the functional level is set to Windows 2000 Native or Windows Server 2003.

Any universal groups you create will be replicated to all global catalog servers in the forest, as well as to their membership lists, so be sure to keep membership static and to a minimum. Doing so will help reduce replication traffic. Restricting universal group membership to only global groups is good practice. It minimizes the number and frequency of changes, thus reducing global catalog replication traffic.

Defining Resource Access Requirements

Now that you're familiar with the different security groups in Windows Server 2003, let's take a look at resource access requirements. Access to network resources can be managed using several different methods. For example, permissions to network resources can be granted to individual user accounts or to security groups. You obviously must take an organization's resource access requirements under consideration when you determine which strategy to use.

Resource Access Methods

Because each user requires a user account to log on to a domain, you can use these accounts to grant access to network resources. That means permission to a resource must be granted to each user account that requires access. This method might be ideal for small organizations with few user accounts and network resources. But in larger environments, it can be very difficult to track what resources a particular user has been granted access to. For individual resources, you might need to assign permissions to specific user accounts.

Another option, which is more ideal in terms of administration as well as scalability, is to place users into global groups and grant permissions to the groups as opposed to individual user accounts. However, keep in mind that if different groups require different access to a resource, each group must be added to the access control list (ACL) for the resource and granted permission.

Finally, you can also grant access to network resources using resource groups. With this method, user accounts are still placed in global groups, but groups are also created for network resources. For example, if you have a printer on the network, you could create a resource group called PrtSrv. Permissions would then be assigned to the resource groups. To grant users access to a network resource, the appropriate global groups would be added to the resource group. This difference between this method and the method outlined earlier is that permission to a resource needs to be set only once on the resource group.

Defining User Roles

Part of the Active Directory design process entails defining user roles for access control. Roles should be based on the organization structure of a company. Roles will most often be based on job categories (such as sales) or on responsibility. For example, you might choose to create a role called Help Desk. In any case, a thorough assessment of the current structure and goals of a company must be performed to ensure that the roles defined meet all the necessary requirements.



MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2
MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2 (Exam Cram 70-297)
ISBN: 0789730154
EAN: 2147483647
Year: 2003
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net